Mac OS X Unleashed

Mac OS X Unleashed

By John Ray and William C. Ray

Networking Applications

Many of the command-line network applications are simply textual equivalents of graphical network applications with which you're likely to already be familiar. There are command-line applications for browsing the Web, transferring files over the Internet, reading your e-mail, and most other network functions you're familiar with. Most of these have both advantages and disadvantages with respect to their graphical counterparts. The mouse has proven a very efficient tool for tasks involving complex selections, and the command-line applications fail in situations that would require fast and furious mousing. On the other hand, if you're using a terminal and at a command-line prompt, it's almost always faster to use a textual tool to do something quick, such as transfer a file via FTP, than it is to start a graphical client. An additional difference is that some command-line applications can function in both an interactive fashion and as a building-block program. This allows many of them to be used in shell scripts or other programs to provide their functionality to a more complex program that needs to use it.

Note

URLs are one the most ubiquitous formalized ways of specifying the place a program should look for a particular network resource. You're almost certainly familiar with URLs in a practical sense—many of them look like http://www.apple.com/. What you might not be aware of is that this string http://www.apple.com/ has meaning beyond simply specifying the name of a machine, www.apple.com, to which software should connect. The http:// part of the expression is also used, and specifies the connection protocol, which should be used for accessing this resource. Other connection protocols can be specified by the use of other prefixes before the machine name, such as ftp://.

As we've pointed out previously, Unix is a particular and precise environment. Specifying www.apple.com as a URL to a Web browser is sloppy and imprecise, and works only in certain cases in which the browser manufacturer has decided to write its software to try to compensate for poor habits on the part of the user.

A considerable amount of Unix software isn't written to support sloppy usage on the part of the user, and requires that you enter complete and correct URLs, including the http://, or other prefix, part of the URL to function correctly.

Some recent Unix software is starting to go the route of the large browsers and support the sloppy usage without a specified protocol, but much still does not, and we don't believe this is a positive trend. We've made every effort to provide complete and correct URLs in the text here, and we hope that you'll get used to using them properly—it will eventually save you a considerable headache when you meet an application that requires you to be as precise as it is.

Browsing the Web: lynx

lynx is a command-line Web client. Surprising as it might seem, many people prefer browsing the Web in a text-only application. There are, of course, many pages that simply can't be browsed without a graphics-capable application, but those pages are written by people who aren't concerned with making their information as widely available as possible, and don't seem to be of interest to people who prefer to browse in text only.

Tip

For more information on why you might want, or not want, to make your pages available as plain text, see Chapter 27, "Web Serving."

Note

There's a reasonable chance that lynx isn't installed on your system. We're going to use it for a few things later in the chapter, so if you don't have it, you'll be installing it in the section on compiling and installing software. The install we do for lynx will be of the easiest possible command-line install style, so you might even want to flip forward a few pages and do the install now.

The basic syntax of lynx is lynx <URL> . This will give you a textual representation of the page, and a few lines of prompting information as to what you can do from there. For example, looking at http://www.apple.com/, lynx produces the following output:

[localhost:~] nermal% lynx http://www.apple.com

       #home index

    Apple The Apple Store iTools iCards QuickTime Apple Support Mac OS X
    Hot News Hardware Software Made4Mac Education Creative Small Biz Developer
    Where to Buy

       Blue Dalmation Rip. Mix. Burn. The new iMac. With iTunes + CD-RW drive.
                         Headphones

                             Hot News Headlines Hot News Ticker

        Now Shipping. Mac OS X. QuickTime 5: Download the new digital media standard.
              Final Cut Pro 2 PowerBook G4 - 1" think - 5.3 pounds - Titanium.

                                        [spacer.gif]
                                          Gray line

                              _________________________ Search
                              Site Map | Search Tips | Options

                              Find Job Opportunities at Apple.

                          Visit other Apple sites around the world:
                                    [Choose...___________]

                                 Contact Us | Privacy Notice
                Copyright © 2001 Apple Computer, Inc. All rights reserved.
                                      1-800-MY-APPLE


                                 Powered by MacOSXServer

    (NORMAL LINK)   Use right-arrow or <return> to activate.
    Arrow keys: Up and Down to move.  Right to follow a link; Left to go back.
    H)elp O)ptions P)rint G)o M)ainscreen Q)uit /=search [delete]=history list

If you want to move down the page, you can follow the instruction that suggests the spacebar to move down a page.

Tip

I mentioned "follow the instruction that suggests…move down a page" because a significant amount of human-computer-interface research indicates that to many people, omnipresent onscreen help is almost invisible. Keep your eye on the onscreen hints—even if it's not the best user interface design, it is there to help, and it's a lot faster than searching the help pages.

The up-arrow and down-arrow keys will move you up and down the page, and will also select between the links on the page. The right-arrow and left-arrow keys will take you, somewhat predictably, to the target of the currently selected link, or back to the previous page.

Common one-key commands within lynx are as shown in Table 15.1.

Table 15.1. Common One-Key Commands Within the lynx Interactive Web Browser

Key Action
+/- Move down, or up the page.
<space bar> Move down the page.
<right arrow>, <r e turn> Go to selected link.
<left arrow> Go back.
<up arrow> Select previous link, downloadable element, or form field.
<down arrow> Select next link, downloadable element, or form field.
d Download the target of the currently selected link or downloadable element.
H Go to the lynx help pages. These pages are implemented as HTML pages, so you can go forward and back in them with the forward and back arrows.
O Go to the lynx Options page. Here you can set an assortment of internal parameters such as where your lynx bookmarks are stored.
P Print the current page.
G Go to a new URL.
M Go back to the Main page, by which lynx means the page that you first started on.
Q Quit the program.
/ Search in the page.
<delete> Show the history for the current browser window.

There is a veritable plethora of additional one-key options that are explained in the lynx help, under the Key-stroke commands heading.

The lynx browser also sports a wide range of command-line options that enable or modify advanced behaviors. These include items like sending the data to STDOUT, or collecting a list of the URLs contained in the document.

Finally, it should be mentioned that lynx, like much Unix software, works great as a command-line building-block utility. Ever wanted to process the contents of a Web page, perhaps to do something like collect all the links from someone's page of interesting links, without having to dig through the source by hand? Using the -dump option will cause lynx to send the target document of the URL to STDOUT, followed by a list of the URLs in the document. For example, if you wanted to collect a list of URLs to all the Darwin patches shown on http://www.darwinfo.org/ (specifically, the stuff in the patches subdirectory), you could use lynx like this:

[localhost:~] nermal% lynx -dump http://www.darwinfo.org/patches/

        Hexley Darwinfo Logo
          _________________________________________________________________

            [1]Home [2]The FAQ [3]How To... [4]Patches [5]Ports [6]Links

          _________________________________________________________________

                                    Darwin Patches

          _________________________________________________________________

        This section if for patches to source code in order to alter it in
        some way, either to add functionallity, fix bugs, or just compile on
        Darwin.
          * [7]bootx patch - This is a patch to bootx to allow you to boot
            /mach_kernel.backup during startup by holding down 'cmd-b'. By
            Louis Gerbarg.
          * [8]gcc crosscompile - This is a patch to the current (Nov. 7th)
            gcc source to be able to build a cross compiler under Darwin. By
            Stan Shebs.
          * [9]/dev/random - This is a /dev/random for Darwin! Now, you can
            actually have decent random number generation for Darwin!
            [10](Read more...) By Louis Gerbarg
          * [11]noffs.patch: A patch that cleans up some of the configuration
            files to allow one to build xnu without UFS in the kernel. By
            Louis Gerbarg
          * [12]Tcl 8.3.1 for Darwin - patch to TCL 8.3.1 to compile as a
            framework for Darwin, so that almost all of the incuded tests
            pass. [13](Read more...) By Chris Douty
          * [14]Screen 3.9.5 - patch to get Screen to compile for darwin
            [15](Read More...) By Graham Orndorff
          * [16]mfs.tar.gz - A patch to add a struct buf *b_actf to the struct
            buf definition in xnu/bsd/sys/buf.h. The mfs.tar.gz file should
            replace xnu/bsd/ufs/mfs.  [17](Read More...) By Rob Braun
          * [18]newfs.diff - I also added the option where you can do a
            mount_mfs swap /mntpt, and that'll create fake settings for the
            size of the mounted filesystem. The fake settings were ripped off
            from NetBSD's newfs. By Rob Braun
          * [19]bigmem.diff - A patch to allow xnu to boot on Intel systems
            with 256MB or more of memory. Thanks to John Kullmann.
          * [20]iocatalog.intel.diff - Fixes a syntax error in
            xnu/iokit/IOCatalog.cpp for Intel machines. Without this, the
            kernel won't boot on Intel. By Naoki Hamada.
          * [21]groff.diff - Fixes a bus error when using grops in the groff
            package. By Scott Thompson.
          * [22]diskdev_cmds-man.diff - Modifies the build environment to
            install the man pages. By Torrey Lyons.
          * [23]xnu 103.0.1 for 604 - A patch from Markus Hitter for booting
            xnu 103.0.1 on a 604. Originally posted in [24]this mail. By
            Markus Hitter .
          * [25]UniEnet - A patch to make the UniEnet driver only display
            supported media types. By Louis Gerbarg.
          * [26]Intel Cursor - A patch to fix the invisible cursor on Intel
            machines. By Rob Braun.

     Deprecated Patches

        These patches are either out of date, or have already been integrated
        into the cvs tree.
          * [27]sysctl.diff - Makes sysctl deal with the hostid variable
            correctly. By Ryan Rempel.
          * [28]xnu-intel.diff - This is a collection of patches to bring the
            current cvs version of xnu up on Intel. This patch incorporates
            Naoki Hamada's patch to fix iokit/KernelConfigTables.cpp to allow
            the kernel to boot on Intel, Justin Walker's fix for bpf under
            Intel, and my patch to get the cursor working on the console.
          * [29]/dev/zero - Adds a /dev/zero to Darwin. Especially useful. By
            Louis Gerbarg
          * [30]cons.diff - Fixes the Darwin console to display at the proper
            width&height. From me.. By Rob Braun
          * [31]inetd-pid.diff - Make inetd write it's pid to
            /var/run/inetd.pid. By Rob Braun
          * [32]mach_init.diff - Makes sure mach_init properly hands off
            arguments to init. Prior to this patch, mach_init would not
            properly hand off multiple args to init (such as -v and -s
            sumultaneously). And [33]here is a gzipped binary of the patched
            mach_init. By Rob Braun
          * [34]pwd_mkdb.diff - In an attempt to run Darwin without netinfo
            and the host of daemons surrounding it, I needed the utilities
            pwd_mkdb and vipw. I found that the current versions in cvs have
            minor bugs preventing their correct execution. These are minor
            patches to each to make them work properly. ---Sat, 12 Aug 2000
            16:46:38 -0600 By Rob Braun
          * [35]vipw.diff - See the notes on pwd_mkdb above. By Rob Braun

          _________________________________________________________________

        copyright © 2000 [36]Tom Hackett and [37]Rob Braun
        Hexley image created and copyright Jon Hooper

     References

        1. http://www.darwinfo.org/
        2. http://www.darwinfo.org/faq.shtml
        3. http://www.darwinfo.org/howto/
        4. http://www.darwinfo.org/patches/
        5. http://www.darwinfo.org/ports
        6. http://www.darwinfo.org/links.shtml
        7. http://www.rpi.edu/~gerbal/darwinpatches/bootx_backup.patch
        8. http://www.darwinfo.org/pub/darwin/fixes/xcompile.diff
        9. http://www.rpi.edu/~gerbal/darwin-patches/devrandom.patch
       10. http://www.darwinfo.org/patches/dev_random_patch.shtml
       11. http://www.rpi.edu/~gerbal/darwin-patches/noffs.patch
       12. http://www.darwinfo.org/patches/tcl831ForDarwin-2.patch
       13. http://www.darwinfo.org/patches/tcl831patch.shtml
       14. http://www.darwinfo.org/patches/screen_patch.diff
       15. http://www.darwinfo.org/patches/screen_port.shtml
       16. http://www.darwinfo.org/patches/mfs.tar.gz
       17. http://www.darwinfo.org/patches/mfs.shtml
       18. http://www.darwinfo.org/patches/newfs.diff
       19. http://www.darwinfo.org/patches/big_mem.diff
       20. http://www.darwinfo.org/patches/iocatalog.intel.diff
       21. http://www.darwinfo.org/patches/groff.diff
       22. http://www.darwinfo.org/patches/diskdev_cmds-man.diff
       23. http://www.darwinfo.org/patches/604-103.0.1.diff
       24. http://www.darwinfo.org/devlist.php3?number=2809
       25. http://www.darwinfo.org/patches/UniEnet.cpp.patch
       26. http://www.darwinfo.org/patches/intel-cursor.diff
       27. http://www.darwinfo.org/patches/sysctl.diff
       28. http://www.darwinfo.org/patches/xnu-intel.diff
       29. http://www.rpi.edu/~gerbal/devzero.patch.gz
       30. http://www.darwinfo.org/patches/cons.diff
       31. http://www.darwinfo.org/patches/inetd-pid.diff
       32. http://www.darwinfo.org/patches/mach_init.diff
       33. http://www.darwinfo.org/patches/mach_init.gz
       34. http://www.darwinfo.org/patches/pwd_mkdb.diff
       35. http://www.darwinfo.org/patches/vipw.diff
       36. mailto:tomhackett@darwinfo.org
       37. mailto:bbraun@darwinfo.org

If you wanted to parse just the URLs out of this output, you could simply run lynx, and pipe the output though grep looking for URL patterns. Something like lynx -dump http://www.darwinfo.orf/patches/ | grep " http :" will do the trick, and produces the following output:

[localhost:~] nermal% lynx -dump http://www.darwinfo.org/patches/ | grep "http:"

        1. http://www.darwinfo.org/
        2. http://www.darwinfo.org/faq.shtml
        3. http://www.darwinfo.org/howto/
        4. http://www.darwinfo.org/patches/
        5. http://www.darwinfo.org/ports
        6. http://www.darwinfo.org/links.shtml
        7. http://www.rpi.edu/~gerbal/darwin-patches/bootx_backup.patch
        8. http://www.darwinfo.org/pub/darwin/fixes/xcompile.diff
        9. http://www.rpi.edu/~gerbal/darwin-patches/devrandom.patch
       10. http://www.darwinfo.org/patches/dev_random_patch.shtml
       11. http://www.rpi.edu/~gerbal/darwin-patches/noffs.patch
       12. http://www.darwinfo.org/patches/tcl831ForDarwin-2.patch
       13. http://www.darwinfo.org/patches/tcl831patch.shtml
       14. http://www.darwinfo.org/patches/screen_patch.diff
       15. http://www.darwinfo.org/patches/screen_port.shtml
       16. http://www.darwinfo.org/patches/mfs.tar.gz
       17. http://www.darwinfo.org/patches/mfs.shtml
       18. http://www.darwinfo.org/patches/newfs.diff
       19. http://www.darwinfo.org/patches/big_mem.diff
       20. http://www.darwinfo.org/patches/iocatalog.intel.diff
       21. http://www.darwinfo.org/patches/groff.diff
       22. http://www.darwinfo.org/patches/diskdev_cmds-man.diff
       23. http://www.darwinfo.org/patches/604-103.0.1.diff
       24. http://www.darwinfo.org/devlist.php3?number=2809
       25. http://www.darwinfo.org/patches/UniEnet.cpp.patch
       26. http://www.darwinfo.org/patches/intel-cursor.diff
       27. http://www.darwinfo.org/patches/sysctl.diff
       28. http://www.darwinfo.org/patches/xnu-intel.diff
       29. http://www.rpi.edu/~gerbal/devzero.patch.gz
       30. http://www.darwinfo.org/patches/cons.diff
       31. http://www.darwinfo.org/patches/inetd-pid.diff
       32. http://www.darwinfo.org/patches/mach_init.diff
       33. http://www.darwinfo.org/patches/mach_init.gz
       34. http://www.darwinfo.org/patches/pwd_mkdb.diff
       35. http://www.darwinfo.org/patches/vipw.diff

The -dump option turns out to be useful for doing things that don't relate to processing the URLs as well, such as downloading files from FTP or HTTPD servers. You'll see examples of this use of lynx during the software installs in Chapter 16, "Command Line Software Installation."

The lynx command documentation table is shown in Table 15.2.

Table 15.2. The Command Documentation Table for lynx

lynx Textual Web browser
lynx [ options ] [ file ]
You can find out which options are available by running lynx -help. Here is the listing of command-line options for the current version of lynx:
- Receive options and arguments from STDIN.
-accept_all_cookies Accept cookies without prompting if Set-Cookie handling is on (off).
-anonymous Apply restrictions for anonymous account; see also -restrictions.
-assume_charset=MIMEname Charset for documents that don't specify it.
-assume_local_charset= MIMEname Charset assumed for local files.
-assume_unrec_charset= MIMEname Use this instead of unrecognized charsets.
-auth=id:pw Authentication information for protected documents.
-base Prepend a request URL comment and BASE tag to text/html for -source dumps.
-book Use the bookmark page as the start file (off).
-buried_news Toggle scanning of news articles for buried references (on).
-cache= NUMBER NUMBER of documents cached in memory.
-case Enable case-sensitive user searching (off).
-cfg= FILENAME Specify a lynx.cfg file other than the default.
-child Exit on left arrow in start file, and disable save to disk.
-connect_timeout= N Set the N -second connection timeout (18000) .
-cookie_file= FILENAME Specify a file to use to read cookies.
-cookie_save_file= FILENAME Specify a file to use to store cookies.
-cookies Toggle handling of Set-Cookie headers (on).
-core Toggle forced core dumps on fatal errors (off).
-crawl With -traversal, output each page to a file with -dump, format output as with -traversal, but to STDOUT.
-debug_partial Incremental display stages with MessageSecs delay (off).
-display= DISPLAY Set the display variable for X exec'ed programs.
-dont_wrap_pre Inhibit wrapping of text in <pre> when -dumping and -crawling, mark wrapped lines in interactive session (off).
-dump Dump the first file to STDOUT and exit.
-editor= EDITOR Enable edit mode with specified editor.
-emacskeys Enable emacs-like key movement (off).
-enable_scrollback Toggle compatibility with comm programs' scrollback keys (might be incompatible with some curses packages) (off).
-error_file= FILE Write the HTTP status code here.
-force_empty_hrefless_a Force HREF-less A elements to be empty (close them as soon as they are seen) (off)
-force_html Force the first document to be interpreted as HTML (off).
-force_secure Toggle forcing of the secure flag for SSL cookies (off).
-forms_options Toggle forms-based versus old-style options menu (on).
-from Toggle transmission of From headers (on).
-ftp Disable FTP access (off).
-get_data User data for get forms, read from STDIN, terminated by '---' on a line.
-head Send a HEAD request (off).
-help Print this usage message.
-hiddenlinks=[ option ] Hidden links options are merge, listonly, and ignore.
-historical Toggle use of '>' or '-->' as a terminator for comments (off).
-homepage= URL Set home page separate from start page.
-image_links Toggles inclusion of links for all images (off) .
-index= URL Set the default index file to URL .
-ismap Toggle inclusion of ISMAP links when client-side MAPs are present (off).
-link= NUMBER Starting count for lnk#.dat files produced by -crawl (0).
-localhost Disable URLs that point to remote hosts (off).
-mime_header Include MIME headers and force source dump.
-minimal Toggle minimal versus valid comment parsing (off).
-newschunksize= NUMBER Number of articles in chunked news listings.
-newsmaxchunk= NUMBER Maximum news articles in listings before chunking.
-nobold Disable bold video attribute.
-nobrowse Disable directory browsing.
-nocc Disable Cc: prompts for self copies of mailings (off).
-nocolor Turn off color support.
-nofilereferer Disable transmission of Referer headers for file URLs (on).
-nolist Disable the link list feature in dumps (off).
-nolog Disable mailing of error messages to document owners (on).
-nonrestarting_sigwinch Make window size change handler non-restarting (off).
-nopause Disable forced pauses for status-line messages.
-noprint Disable some print functions, like -restrictions=print (off) .
-noredir Don't follow Location: redirection (off).
-noreferer Disable transmission of Referer headers (off).
-noreverse Disable reverse video-attribute
-nostatus Disable the miscellaneous information messages (off).
-nounderline Disable underline video attribute.
-number_fields Force numbering of links as well as form input fields (off).
-number_links Force numbering of links (off)
-partial Toggle display partial pages while downloading (on) .
-partial_thres [= NUMBER ] Number of lines to render before repainting display with partial-display logic (-1).
-pauth=id:pw Authentication information for protected proxy server.
-popup Toggle handling of single-choice SELECT options via pop-up windows or as lists of radio buttons (off).
-post_data User data for post forms, read from STDIN, terminated by '---' on a line.
-preparsed Show parsed text/HTML with -source and in source view to visualize how lynx behaves with invalid HTML (off).
-print Enable print functions (DEFAULT); opposite of -noprint (on).
-pseudo_inlines Toggle pseudo-ALTs for inlines with no ALT string (on).
-raw Toggle default setting of 8-bit character translations or CJK mode for the startup character set (off).
-realm Restrict access to URLs in the starting realm (off).
-reload Flush the cache on a proxy server (only the first document affected) (off).
-restrictions=[ options ] Use -restrictions to see list.
-resubmit_posts Toggles forced resubmissions (no cache) of forms with method POST when the documents they returned are sought with the PREV_DOC command or from the History List (off).
-rlogin Disable rlogins (off).
-selective Require .www_browsable files to browse directories.
-short_url Enable examination of beginning and end of long URL in status line (off).
-show_cursor Toggle hiding of the cursor in the lower-right corner (on).
-soft_dquotes Toggle emulation of the old Netscape and Mosaic bug that treated '>' as a co-terminator for double quotes and tags (off).
-source Dump the source of the first file to STDOUT and exit.
-stack_dump Disable SIGINT cleanup handler (off).
-startfile_ok Allow non-HTTP start file and home page with -validate (off) .
-tagsoup Use TagSoup rather than SortaSGML parser (off).
-telnet Disable telnets (off).
-term=TERM Set terminal type to TERM.
-tlog Toggle use of a lynx Trace Log for the current session.
-tna Turn on Textfields Need Activation mode (off).
-trace Turn on lynx trace mode.
-traversal Traverse all HTTP links derived from start file.
-underscore Toggle use of _underline_ format in dumps (off).
-useragent= Name Set alternative Lynx User-Agent header.
-validate Accept only HTTP URLs (meant for validation); implies more restrictions than -anonymous,but goto is allowed for HTTP and HTTPS.
-verbose Toggle [LINK], [IMAGE], and [INLINE] comments with filenames of these images (on).
-version Print lynx version information.
-vikeys Enable vi-like key movement (off) .
-width=NUMBER Screen width for formatting of dumps (default is 80).
-with_backspaces Omit backspaces in output if -dumping or -crawling (like man does) (off).

Accessing FTP Servers: ftp

ftp is the command name for the program that implements the FTP protocol (creative, no?). Historically on the Macintosh, the Anarchie and Fetch programs have been the FTP clients of preference, and both of these provide features that are sadly lacking in the default command-line ftp interface. The command-line interface, however, is again a quick and convenient way to get or put a file or three, without needing to launch a graphical client. It also tends to be better for diagnosis purposes when an FTP transfer fails, or when a file can't be found. All the messages from the server can be seen immediately, and are directly in response to the commands you issue, so if something's wrong, it's much clearer at what point it goes that way.

To connect to a remote site using ftp, simply issue the command as ftp <ftp site> . This will, presuming all goes well, connect you to the remote site and request your user ID and password. If you're trying to connect to a public site, the default guest user ID is anonymous. After that, the site will ask you for a password, which if you're connecting as an anonymous user, should be given as your e-mail address. Responding properly to both of these queries (anonymous and your e-mail address, or your correct user ID and password) will take you to an internal prompt in the ftp program from where you can traverse the site's directories and upload or download files.

Following is a sample of what you might see after connecting to a site that doesn't really want you there. This sort of information is largely hidden in the graphical FTP clients, frequently leaving you clicking Retry indefinitely; in reality, the site is trying to give you some helpful information.

[localhost:~] nermal% ftp ftp.cis.ohio-state.edu

     220 www.cis.ohio-state.edu FTP server (Version wu-2.6.1(4) Fri Jul
                                            14 13:02:07 EDT 2000) ready.
     Name (ftp.cis.ohio-state.edu:nermal): anonymous
     331 Guest login ok, send your complete e-mail address as password.
     Password:
     530-Sorry, the limit of 20 users logged in has been exceeded (20).
     530-We've had to cut back to avoid swamping our outside link.
     530-
     530-Please try again later.
     530-
     530-To report problems, please contact ftp@cis.ohio-state.edu.
     530 Login incorrect.

And this is an example of what you might see if you have connected properly.

[localhost:~] nermal% ftp ftp.cis.ohio-state.edu

     Connected to www.cis.ohio-state.edu.
     220 www.cis.ohio-state.edu FTP server (Version wu-2.6.1(4)
     Fri Jul 14 13:02:07 EDT 2000) ready.
     Name (ftp.cis.ohio-state.edu:nermal): anonymous
     331 Guest login ok, send your complete e-mail address as password.
     Password:
     230-Hello [unknown]@ryoohki.biosci.ohio-state.edu.
     230-
     230-This is the anonymous FTP archive of the Computer and Information
     230-Science Department and The Ohio State University.
     230-
     230-You are user 1 out of 30 users currently allowed in.
     230-
     230-This FTP server is running on a Sun Enterprise 250, with approximately
     230-100 GB of disk space.  The directory space was recently reorganized
     230-and cleaned.
     230-
     230-Mirrors of other sites are in /mirror
     230-Everything else is in /pub
     230-
     230-Please report any problems to ftp@cis.ohio-state.edu
     230-
     230 Guest login ok, access restrictions apply.
     Remote system type is UNIX.
     Using binary mode to transfer files.
     ftp>

Note

If you attempt to access these servers and get different results, don't be alarmed. These are simply examples of various results that can occur, and your results might be different depending on when you connect, where you're connecting from, and whether the site has changed its configuration since these dialogs were captured.

From this ftp> prompt, you can issue one of the following commands, such as help, rhelp, get, put, cd, ls, pwd, and potentially others, depending on the server configuration. The output from the help command will give you a list of what commands are available to you in your client, and the output of rhelp will tell you about commands on the server:

ftp> help

     Commands may be abbreviated.  Commands are:

     !               debug           mget            put             size
     $               dir             mkdir           pwd             status
     account         disconnect      mls             quit            struct
     append          form            mode            quote           system
     ascii           get             modtime         recv            sunique
     bell            glob            mput            reget           tenex
     binary          hash            newer           rstatus         trace
     bye             help            nmap            rhelp           type
     case            idle            nlist           rename          user
     cd              image           ntrans          reset           umask
     cdup            lcd             open            restart         verbose
     chmod           ls              passive         rmdir           ?
     close           macdef          prompt          runique
     cr              mdelete         proxy           send
     delete          mdir            sendport        site

ftp> rhelp

     214-The following commands are recognized (* =>'s unimplemented).
        USER    PORT    STOR    MSAM*   RNTO    NLST    MKD     CDUP
        PASS    PASV    APPE    MRSQ*   ABOR    SITE    XMKD    XCUP
        ACCT*   TYPE    MLFL*   MRCP*   DELE    SYST    RMD     STOU
        SMNT*   STRU    MAIL*   ALLO    CWD     STAT    XRMD    SIZE
        REIN*   MODE    MSND*   REST    XCWD    HELP    PWD     MDTM
        QUIT    RETR    MSOM*   RNFR    LIST    NOOP    XPWD
     214 Direct comments to ftp@cis.ohio-state.edu.

Additionally, you can ask for help on specific commands—one of the more interesting ones to ask about in the listing shown is the site command:

ftp> rhelp site

     214-The following SITE commands are recognized (* =>'s unimplemented).
        UMASK           GROUP           INDEX           GROUPS
        IDLE            GPASS           EXEC            CHECKMETHOD
        CHMOD           NEWER           ALIAS           CHECKSUM
        HELP            MINFO           CDPATH

The site command implements FTP-site specific command options, and you'd need to contact the administrator to find out exactly what the command options are, and which you are allowed to use.

Files that you get from the FTP server will be placed (unless you specify otherwise by giving a download path along with the get command at the prompt) into the same directory from which you issued the ftp command.

Another thing that the command-line ftp client does much better than the graphical clients is let you know and access special features that the server has available for your use. Because the command-line client can't recursively download directories like the graphical clients can, and because it predates the graphical clients by many years, the most popular Unix FTP servers provide facilities to compensate. For example, many sites provide automatic tarring and compressing of directories, so that even though you can't recursively download a directory, you can still retrieve it all, conveniently tarred and compressed with a single command. To access these special facilities, though, you have to get files that don't exist—typically named <directoryname> .tar or <d i rectoryname> .tar.gz. The server intercepts the request for the nonexistent name and dynamically creates the tarfile or compressed tarfile. This facility could be accessed, even with graphical clients, but because the clients by default hide the server messages, the user rarely knows they're available, and the nonexistent filenames are notoriously difficult to click on.

The following is an example of interaction with a server that provides this sort of special facilities to the user.

Note

Don't be worried if your connection doesn't look exactly like this. Specifically, if you end up at what appears to be a different server, with similar content, all is well. The CPAN sites are very popular, and use a dynamic load-balancing system to hand off connections between a large number of servers so that no one installation becomes overloaded.

[localhost:~/osx-test] joray% ftp ftp.cpan.org

     Connected to onion.valueclick.com.
     220 onion.valueclick.com FTP server (Version wu- 2.6.1(1) Thu Nov 23 12:15:07 PST

      ccc.gif
    2000) ready.
     Name (ftp.cpan.org:joray): anonymous
     331 Guest login ok, send your complete e-mail address as password.
     Password:
     230-
     230-Welcome to onion.valueclick.com, also known as ftp.perl.org,
     230-ftp.cpan.org and others.
     230-
     230-
     230-       ValueClick - The Pay-for-Results Advertising Network
     230-          http://www.valueclick.com/ sponsors this site.
     230-
     230-Comments to ask@valueclick.com and jacob@netcetera.dk. If you ask nicely we
     230-might want to mirror or host your Open Source project too. It needs to be
     230-accessible for us via rsync though.
     230-
     230-most popular things around here:
     230-
     230-  /pub/CPAN/              - Comprehensive Perl Archive Network
     230-  /pub/FreeBSD/           - FreeBSD mirror
     230-  /pub/apache/dist/       - the Apache webserver
     230-  /pub/perl/              - Other Perl bits (APC, ...)
     230-  /pub/mysql/Downloads/   - the MySQL database
     230-  /pub/perl/backup.pause/ - mirror of the historical PAUSE archive
     230-
     230-Most things here are also available at
     230-
     230-  http://mirrors.valueclick.com/
     230-
     230-which probably will be faster if you are using a webbrowser.
     230-
     230-
     230-Please read the file README
     230-  it was last modified on Thu Apr 19 06:23:27 2001 - 3 days ago
     230 Guest login ok, access restrictions apply.
     Remote system type is UNIX.
     Using binary mode to transfer files.

ftp> cd /pub/CPAN/authors/id/W/WI

     250 CWD command successful.

ftp> ls -l

     200 PORT command successful.
     150 Opening ASCII mode data connection for /bin/ls.
     total 4
     -r--r--r--  1 mirror  mirror   307 Jan 28 01:33 CHECKSUMS
     drwxrwxr-x  2 mirror  mirror   512 Feb 22 16:04 WICKLINE
     drwxrwxr-x  2 mirror  mirror  1024 Apr  9 22:57 WIMV
     drwxr-xr-x  2 mirror  mirror   512 Dec 20  1998 WINKO
     226 Transfer complete.

ftp> cd WINKO

     250 CWD command successful.

ftp> ls -l

     200 PORT command successful.
     150 Opening ASCII mode data connection for /bin/ls.
     total 10
     -r--r--r--  1 mirror  mirror   548 Dec 13 18:31 CHECKSUMS
     -rw-r--r--  1 mirror  mirror  965 Dec 11  1996 String-BitCount-1.11.readme
     -rw-r--r--  1 mirror  mirror 2316 Dec 11  1996 String-BitCount-1.11.tar.gz
     -rw-r--r--  1 mirror  mirror   925 Dec 10  1996 String-Parity-1.31.readme
     -rw-r--r--  1 mirror  mirror  3586 Dec 11  1996 String-Parity-1.31.tar.gz
     226 Transfer complete.

ftp> cd ..

     250 CWD command successful.
ftp> binary

     200 Type set to I.

ftp> get WINKO.tar.gz

     local: WINKO.tar.gz remote: WINKO.tar.gz
     200 PORT command successful.
     150 Opening BINARY mode data connection for /bin/tar.
     226 Transfer complete.
     7375 bytes received in 0.166 seconds (44521 bytes/s)

ftp> quit

     221-You have transferred 7375 bytes in 1 files.
     221-Total traffic for this session was 10107 bytes in 3 transfers.
     221-Thank you for using the FTP service on onion.valueclick.com.
     221 Goodbye.

[localhost:~/osx-test] joray% ls

     WINKO.tar.gz

[localhost:~/osx-test] joray% gunzip WINKO.tar.gz
[localhost:~/osx-test] joray% tar -tvf WINKO.tar

     drwxr-xr-x  2 1001     1001           0 Dec 20  1998 WINKO
     -r--r--r--  1 1001     1001         548 Dec 13 13:31 WINKO/CHECKSUMS
     -rw-r--r--  1 1001     1001         965 Dec 10  1996 WINKO/String-BitCount-1.11.readme
     -rw-r--r--  1 1001     1001        2316 Dec 11  1996 WINKO/String-BitCount-1.11.tar.gz
     -rw-r--r--  1 1001     1001         925 Dec 10  1996 WINKO/String-Parity-1.31.readme
     -rw-r--r--  1 1001     1001        3586 Dec 11  1996 WINKO/String-Parity-1.31.tar.gz

In this example, we've retrieved a tarred and gzipped copy of the WINKO directory, with a single command, even though that .tar.gz file doesn't exist on the system. As shown, it arrives on our local machine with the contents expected.

Note

Even more sophisticated things can be done with the servers, but their implementation tends to be site specific. Pay attention to the introductory and help messages presented by servers that you connect to. The site administrators will often use these messages to inform you of any special capabilities, as well as how you can use them.

The command documentation table for ftp is shown in Table 15.3.

Table 15.3. The Command Documentation Table for ftp

ftp File transfer program.
ftp [-dgintv] [ <hostname> [ <port> ]]
The remote host with which ftp is to communicate can be specified on the command line. Done this way, ftp immediately tries to establish a connection with the remote host. Otherwise, ftp enters its command interpreter mode, awaits commands from the user, and displays the prompt ftp>.
-d Enables debugging.
-g Disables filename globbing.
-I Turns off interactive mode when transferring multiple files.
-n Does not attempt auto-login upon initial connection. If auto-login is not disabled, ftp checks for a .netrc file in the user's directory for an entry describing an account on the remote machine. If no entry is available, ftp prompts for the login name on the remote machine (defaults to the login name on the local machine), and if necessary, prompts for a password.
-t Enables packet tracing.
-v Enables verbose mode. Default if input is from a terminal. Shows all responses from the remote server as well as transfer statistics.
When ftp is in its command interpreter mode awaiting instructions from the user, there are many commands that the user might issue. Some of them include:
ascii Sets the file transfer type to network ASCII. Although this is supposed to be the default, it is not uncommon for an FTP server to indicate that binary is its default.
binary Sets the file transfer type to support binary image transfer.
bye Terminates the ftp session and exits ftp. An end of file also terminates the session and exits.
quit Same as bye.
Cd <remote_directory> Changes the current working directory on the remote host to <remote_directory> .
cdup Changes the current working directory on the remote host to the parent directory.
close Terminates the ftp session with the remote host and returns to the command interpreter.
disconnect Same as close.
dir [ <remote-directory> [ <l o cal_file> ]] Prints a listing of the directory on the remote machine. Most Unix systems produce an ls -l output. If <remote_directory> is not specified, the current directory is assumed. If <l o cal_file> is not specified, or is -, the output is sent to the terminal.
ftp <hostname> [ <port> ] Same as open.
open <hostname> [ <port> ] Attempts to establish an ftp connection on <hostname> at <port> , if <port> is specified.
glob Toggles filename expansion for mdelete, mget, and mput. If globbing is turned off, filename arguments are taken literally and not expanded.
delete <remote_file> Deletes the specified <r e mote_file> on the remote machine.
mdelete <remote_files> Deletes the specified <r e mote_files> on the remote machine.
get <remote_file> [ <local-file> ] Downloads <remote_file> from the remote machine to the local machine. If <l o cal_file> is not specified, the file is also saved on the local machine with the name <r e mote_file> .
recv <remote_file> [ <local_file> ] Same as get.
mget <remote_files> Downloads the specified <r e mote_files> .
put <local_file> [ <r e mote_file> ] Uploads the specified <l o cal_file> to the remote host. If <remote_file> is not specified, the file is saved on the remote host with the name <l o cal_file> .
send <local_file> [ <remote_file> ] Same as put.
mput <local_files> Uploads the specified <l o cal_files> .
msend Same as mput.
help [ <command> ] Displays a message describing <command> . If <command> is not specified, a listing of known commands is displayed.
? Same as help.
lcd <directory> Changes the working directory on the local machine. If <dire c tory> is not specified, the user's home directory is used.
ls [ <remote_directory> [ <local_file> ]] Prints a list of the files in a directory on the remote machine. If remote_directory> is not specified, the current working directory is assumed. If <l o cal_file> is not specified, or is -, the output is printed to a terminal. Note that if nothing is listed, the directory might only have directories in it. Try ls -l or dir for a complete listing.
mkdir <directory> Makes the specified <dire c tory> on the remote machine.
rmdir <directory> Removes the specified <d i rectory> from the remote machine.
passive Toggles passive mode. If passive mode is turned on (off by default), the ftp client sends a PASV command for data connections rather than a PORT command. PASV command requests that the remote server open a port for the data connection and return the address of that port. The remote server listens on that port and the client then sends data to it. With the PORT command, the client listens on a port and sends that address to the remote host, who connects back to it. Passive mode is useful when FTPing through a firewall. Not all ftp servers are required to support passive mode.
pwd Prints the current working directory on the remote host.
verbose Toggles verbose mode. Default is on. In verbose mode, all responses from the ftp server are shown as well as transfer statistics.

Terminals in Terminals: telnet, rlogin, ssh

Because one of the primary methods for interacting with a Unix machine that you're sitting in front of is via a textual terminal, it should come as no surprise that there are a number of network tools available to allow you to access remote machines through that same interface. The three primary examples of these are the telnet, rlogin and ssh/slogin (secure shell) clients. Each of these provides a connection to a remote machine that is analogous to the one that Term i nal.app provides to your local machine—you get access to a command prompt and can run software on the remote machine just like software in Terminal.app on the local machine.

The telnet Program

telnet is a venerable connection program that speaks a language compatible with the over-the-wire communication protocol used by many Internet services. The protocol is a fundamental building block of much of the Internet, and has been used to provide everything from Web services, to file transfer services, to terminal services. It is, unfortunately, as trivial as it is ubiquitous, and provides almost no built-in security. Because of this, terminal services implemented directly in the protocol are inherently insecure, and the telnet client and server fall into this category.

The syntax of the telnet command is telnet <host> [ port number ].

If you're communicating with a system that's either not connected to the Internet, or run by a particularly security-unconscious system administrator, you might actually be able to use it as a terminal application. In that case, if you issue the telnet command you might see something like the following:

[ray@venice ~]$ telnet krpan.killernuts.org

     Trying 192.168.1.10...
     Connected to krpan.killernuts.org (192.168.1.10).
     Escape character is '^]'.

     Red Hat Linux release 7.0 (Guinness)
     Kernel 2.4.2 on a 2-processor i686
     login: adam
     Password:
     Last login: Thu Apr 19 19:36:23 on vc/1
     You have mail.

     Terminal: vt100.
     Printer set to newsioux

     krpan adam %

At that point, you're at a shell prompt on the remote machine, and can interact with it just as you interact with your local machine via its shell prompt in the terminal.

Note

Don't expect to actually be able to telnet to krpan.killernuts.org to test this. We don't know any system administrators who leave telnet available on their machine, and had to enable it specifically for the example.

If everyone you know is concerned about security and has their telnet daemons disabled, there are still a number of interesting uses for the telnet client. Because many servers for other Internet applications speak the same protocol, you can use the telnet protocol to talk to them as well. It might not seem like a useful idea to be able to talk to a Web-server with a terminal program that doesn't understand anything about the HTTP language and can't display the data properly, but it turns out to have a number of interesting applications.

For example, your Web browser tells you that a server isn't responding—can you tell whether it's the Web server software that's not responding, or the machine that hosts it that's not responding? telnet to the HTTP port (port 80) on the server, and see what the response is. If the Web server software and machine are both okay, your session should look something like this:

[localhost:~] nermal% telnet www.biosci.ohio-state.edu 80

     Trying 140.254.12.240...
     Connected to ryoko.biosci.ohio-state.edu.
     Escape character is '^]'.

If the machine is okay, but the Web server software isn't speaking, the session might instead look more like:

[localhost:~] nermal% telnet rosalyn.biosci.ohio-state.edu 80

     Trying 140.254.12.151...
     telnet: Unable to connect to remote host: Connection refused

If the machine is completely absent from the network, such as catbert in the following example, the response will get only to the Trying line, and hang there, well, trying—I press Ctrl+C in the example to convince it to give up.

[localhost:~] nermal% telnet catbert.biosci.ohio-state.edu 80

     Trying 140.254.12.236...
     ^C

Finally, if there really isn't a machine by that name at all, you'll see:

[localhost:~] nermal% telnet dingbat.biosci.ohio-state.edu 80

     dingbat.biosci.ohio-state.edu: Unknown host

Caution

Please don't use the telnet program as a terminal program unless you are connecting to a machine that has no connection to the Internet. The program transfers all data in plain text, and anyone with physical access to any of the communication hardware involved in the connection (like the phone lines, ethernet wiring, the air, if you're using AirPort) can read everything you type, including user IDs and passwords out of the data stream.

The rlogin Program

Whereas the telnet communication package was conceived with hardly any concern for security, the rlogin communications package was developed under the seemingly quaint notion that certain connections could be trusted, based only on their self-proclaimed credentials. Passing its data using the same unprotected protocol as telnet, rlogin is supposed to give the administrator some confidence in the identity of a connecting visitor by virtue of the fact that the connection came from a trusted port. Using it is similar to telnet, except that it doesn't accept an optional connection port, and it automatically fills in your user ID on the remote system based on your local system user ID. The syntax is simply rlogin <remotehost> .

Note

A long, long time ago, in a decade almost two removed, the Internet and the perceptions regarding users who could connect to it were a very different place. Along with the lack of this.dot.that.dot.coms all over the place, and the lack of spam in your e-mail, Unix was an expensive commercial operating system. Machines that ran it were expensive, and the people who ran them, even people on different ends of the earth who had never met each other, thought of each other as fellow members of a professional fraternity. Professional courtesies were extended, and if you were a system administrator, a concern about another's security was the same as a concern about your own security.

Due to this expectation that any person running a Unix machine was another security-conscious professional, early security measures were based on utilizing this trust as a form of security credential. Security-conscious professionals were as worried about allowing security risks on others machines as incurring security risks on their own, so they would never let a "bad" user use their system. The only people who could connect using the rlogin client were users on other Unix machines. Taken together, any user with valid credentials on a Unix machine, verified by their being allowed to run the rlogin program, must, by association, be a trustable user.

Taken in the context of today's rampant attacks against system security, this might sound like a naively bad security method, but until the advent of "personal Unixes" such as Linux, it worked surprisingly well. Given that much of today's data is passed around with equally insecure connections, without even a trust-based attempt to verify the authenticity of the content, we probably shouldn't poke too much fun at the naiveté of the early communication packages.

As you are coming into the world of having your very own personal Unix machine connected to the Internet, we'd like to encourage you to adopt some of the historic notions regarding administrator responsibility and fraternity, but not their naïve notions regarding security.

Like the telnet program, if you're connecting to machines that aren't connected to the Internet, the rlogin client is just as good as any. If you're connecting to machines that are connected to the Internet, please don't use the rlogin program, even if the remote machine makes it available. Doing so only risks your accounts and data on both local and remote machines, and the security of both machines as well.

The Secure-Shell Software Suite: slogin, scp, sftp, and Others

The Secure Shell collection of programs provides strongly encrypted communications between your machine and a remote server. The implementation that Apple has chosen to provide is based on the OpenSSH (http://www.openssh.org/) distribution of the protocols. The protocol requires both client software, which we will cover in this chapter, and server software that will be covered in Chapter 26. Here, we will assume that you already have a server to talk to, and will detail the use of the client software on the Unix side of your OS X machine to talk to your remote server.

slogin

The starting point for use of the Secure Shell client is the slogin program. This program replaces the functionality of the telnet and rlogin programs, and provides some additional capabilities as well. Unlike telnet and rlogin, slogin passes all information between the machines as encrypted data, using a public-key encryption method.

Note

Public-key encryption is a clever method of encrypting data. Basically, in public-key encryption schemes, every person interested in exchanging encrypted information creates two keys. One of the created keys is the person's private key, and the other is the person's public key. These keys are mathematically related, but one cannot be derived from the other. The cleverness resides in the mathematical relationship between the keys. When you encrypt data, you encrypt it using two keys: your private key and the public key of the message's intended recipient. The keys are related in such a fashion that data encrypted with your private key, and another's public key, can be decrypted only with a combination of your public key and the other person's private key. This encryption method is used in both systems such as the PGP (Pretty Good Privacy) e-mail encryption software, and in data transmission software such as ssh. In e-mail encryption, you use your private key, and the e-mail recipient's public key, to encrypt mail destined for them, and they use your public key and their private key to encrypt mail destined for you. In the encryption of data transmission in software such as ssh, the system again uses your private and public keys, and a pair of private and public keys belonging to the remote system to which you are connecting.

The basic use of slogin is much like that for rlogin—simply issue the command slogin <machinename> , where <machinename> is the name or IP address of the remote machine to which you'd like to connect. If the remote machine is running a Secure Shell server and it is configured to allow you to connect, the server will respond asking for your password. If you respond correctly, you will be left at a shell prompt on the remote machine, and can type into it and execute commands, just as though you were in a Terminal.app window typing to your local machine. A successful slogin attempt might look something like this:

[localhost:~] joray% slogin rosalyn.biosci.ohio-state.edu

     joray@rosalyn's password:
     Last login: Sat Apr 21 19:55:15 2001 from dhcp9574211.colu
     You have new mail.
     /home/joray

     ...Remote login...

     /net/rosalyn/home2/joray

     Rosalyn joray 201 >

Again, at this point we're at a shell prompt on the remote machine rosalyn.biosci.ohio-state.edu.

Some system administrators choose not to allow remote logins through simple password authentication. Passwords are generally too short to be difficult for a computer to guess by simple brute-force methods. Instead, the Secure Shell suite allows the use of arbitrarily long, multiword passphrases. A slogin connection requiring this type of login looks like this:

[localhost:~/test-stuff] miwa% slogin rosalyn

     Enter passphrase for RSA key 'miwa@ryoohki':
     Last login: Sat Apr 21 15:55:55 2001 from ryoohki.biosci.o
     You have mail.
     Rosalyn miwa 1 >

If the remote machine is running this more restrictive security (and we recommend that you do so, if you choose to enable remote connections to your machine when we get to Chapter 26), you will be asked, not for your password, but for your passphrase if you have created one. The connection will be refused if you have not created a passphrase.

Creating a passphrase involves a bit of work on your part. This is because if you really want security, you can't allow the encrypted keys that identify you to be seen on the network. Therefore, after the key is created, you need to transfer it to the remote machine via some old-fashioned, physical method, such as writing it on a floppy disk and taking this directly to the remote machine.

Tip

If you're in charge of setting up both machines, you could leave password access under Secure Shell on long enough for you to copy the keys back and forth on the encrypted channel, and then turn off password access to tighten security.

Creating a passphrase for yourself involves the following:

On your OS X machine, generate a key pair by running

ssh-keygen -d -C <username>@<osx-hostname>

The -d option specifies DSA authentication, which is the default encryption mode for SSH2. The -C specifies what kind of comment to make. In other versions of ssh-keygen, the comment is typically of the form <username> @ <hostname> . Sometimes comments contain more information. On the OS X machine where the sample was run, ssh-keygen generates a comment of <user> @ <localhost> if you don't specify a more specific comment.

When you run ssh-keygen, you are asked for a passphrase to protect the private key. It is recommended that the passphrase be at least 11 characters long and include as many character types as possible: uppercase letters, lowercase letters, numbers, and special characters. Spaces may be included as part of the passphrase.

Here is a sample run:

[localhost:~] miwa% ssh-keygen -d -C miwa@ryoohki

     Generating DSA parameter and key.
     Enter file in which to save the key (/Users/miwa/.ssh/id_dsa): Enter passphrase 

      ccc.gif
   (empty for no passphrase):
     Enter same passphrase again:
     Your identification has been saved in /Users/miwa/.ssh/id_dsa.
     Your public key has been saved in /Users/miwa/.ssh/id_dsa.pub.
     The key fingerprint is:
     54:ae:7a:73:2e:12:3b:2e:68:ce:8d:61:33:95:83:81 miwa@ryoohki

As ssh-keygen tells us, user miwa does indeed have the promised keys, as shown in the following output. The private key was saved as id_dsa, and the public key was saved as id_dsa.pub; both are stored in the directory ~/.ssh/.

[localhost:~/.ssh] miwa% ls -al

     total 32
     drwx------   6 miwa  staff   160 Apr 16 16:55 .
     drwxr-xr-x  15 miwa  staff   466 Apr 16 15:46 ..
     -rw-------   1 miwa  staff   736 Apr 16 16:56 id_dsa
     -rw-r--r--   1 miwa  staff   602 Apr 16 16:56 id_dsa.pub
     -rw-r--r--   1 miwa  staff   353 Apr 16 15:31 known_hosts
     -rw-------   1 miwa  staff  1024 Apr 16 16:56 prng_seed

Next, we need to transfer the file id_dsa.pub to the remote host. Because you might be generating different keys for different hosts, it's most convenient if you rename the file first—this also helps prevent you from overwriting it the next time you create a key, or overwriting the key on the remote host when you transfer it. Because it's your public key, it doesn't matter if the world can see it—you can copy it to your remote host via FTP, move it there with a floppy, or paste it across a logged-in terminal session.

On the remote host, in the .ssh directory in your home directory (~/.ssh/), the public key you just created needs to be added to the file authorized_keys2 (~/.ssh/authorized_keys2). If the file does not exist, it must be created. When adding the new key to the file, be sure that the key is added as a single long line of data.

Tip

Many terminals will be friendly and line-wrap the key, if you try to paste it though a logged-in terminal window. If your passphrase refuses to work, make sure that there are no extra blank lines in your ~/.ssh/authorized_keys2 file, and that the key hasn't accidentally accumulated any line breaks.

Having done all this, if you now try to slogin to the remote host where you just added your key (and assuming the remote host is running sshd2!), you should be greeted with a login process asking for your passphrase instead of your password. Enter the passphrase exactly as you did to create the keys, and you will enjoy a data connection that is almost impossible to decrypt, and an access code (your passphrase) that is much more secure than a simple password.

Note

Note that there are a number of variations on the movement of the public key and its installation on the remote host. These revolve around the version of server running on the remote machine. Considerably more detail and examples of these options are given in Chapter 26, "Remote Access and Administration," where we cover getting these outside machines to talk to your OS X box.

The slogin program also provides a neat method for protecting data transmissions other than terminals. This is implemented as an encrypted tunnel between the two machines connected by the slogin terminal connection. Essentially, slogin can be instructed to watch for connections that come to your local machine, package the data from these connections up, encrypt it, ship it off to the other end of the tunnel, and unpackage it again. You then use your ftp, or any other network connection program, to connect to your local machine (not the remote machine!), and slogin will tunnel that connection to the remote machine and make the connection at the other end. Because your user ID and password for the FTP server are carried over the encrypted tunnel, they're never in clear text on the network, and your login information and any data you transmit are protected.

To demonstrate this, the following slogin connection sets up a tunnel from the local machine to a remote machine named waashu, over which ftp connections can be carried.

[localhost:/Users/joray] root# slogin waashu.biosci.ohio-state.edu -l joray -L21:waashu:21
The authenticity of host 'waashu.biosci.ohio-state.edu' can't be established.
RSA key fingerprint is 54:d2:85:b2:fa:2f:f1:b8:c7:16:6f:ca:75:d8:0b:ea.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'waashu.biosci.ohio-state.edu,140.254.12.239' (RSA)
                            to the list of known hosts.
joray@waashu.biosci.ohio-state.edu's password:
Last login: Tue Apr 17 15:50:07 2001 from rosalyn.biosci.ohio-state.edu
You have new mail.
...Remote login...
/home/joray

WAASHU joray 201 >

Again, this leaves the terminal connected to the remote machine, and sitting at a shell prompt on the remote machine.

Note

Note that only the root user can map to ports numbered lower than 1024. For this reason, the slogin forwarding as here isn't quite what you want to do for day-to-day use. It's the easiest for basic illustration, though—a more practical example comes a little later.

After slogin is connected like this, it is connecting port 21, the normal ftp port on our machine (localhost) to port 21 on the remote host we're logged in to. Fire up another terminal window. The second terminal window will be used to invoke ftp to connect over the tunnel like so:

[localhost:~] joray% ftp localhost

     Connected to localhost.biosci.ohio-state.edu.
     220 waashu.biosci.ohio-state.edu FTP server ready.
     Name (localhost:joray): joray
     331 Password required for joray.
     Password:
     230 User joray logged in.
     Remote system type is UNIX.
     Using binary mode to transfer files.

ftp> passive

     Passive mode on.

ftp> cd osx-misc

     250 CWD command successful.
ftp> binary

     200 Type set to I.

ftp> put developer-1.tiff

     local: developer-1.tiff remote: developer-1.tiff
     227 Entering Passive Mode (140,254,12,239,60,59)
     150 Opening BINARY mode data connection for 'developer-1.tiff'.
     226 Transfer complete.
     1255376 bytes sent in 16.2 seconds (77490 bytes/s)

ftp> quit

     221 Goodbye.

To check whether it arrived okay, we go to the waashu terminal:

WAASHU osx-misc 203 > ls -l dev*tiff

     -rw-r--r--    1 joray    user    1255376 Apr 21 20:35 developer-1.tiff

Note that when we ftp to localhost, ftp reports that we're connected to localhost, but waashu responds. The tunnel is working as expected.

As noted earlier, use of port 21 is restricted to the root user, but for your first introduction, it made sense to direct the ftp port to the ftp port. There is nothing that limits the forwarding to connecting identically numbered ports, though, and ftp can also connect to ports other than the usual port 21. For use on a day-to-day basis, a normal user can replace the -L21:<machinename>:21 section of the command with -L2000: <machinename>:21. The ftp command then is extended by adding the port number for the local connection, as ftp localhost 2000.

Additional options for the operation of slogin are as shown in Table 15.4.

Table 15.4. The Command Documentation Table for ssh and slogin

ssh
slogin Secure shell remote login client 
ssh [-l <login_name>] [<hostname> | 
               <user>@<hostname>] [<command>]

ssh [-aAfgknqtTvxXCNP246] [-c <cipher_spec>] [-e <e
               s
               cap_char>]
[-i <identity_file>] [-l <login_name>] [-o <option>] [-p <port>]
[-L <port>:<host>:<hostport>] [-R <port>:<host>:<hostport>]
[<hostname> | <user>@<hostname>] [<command>]
-a Disables forwarding of the authentication agent.
-A Enables forwarding of the authentication agent. This can also be specified on a per-host basis in a configuration file.
-f Requests ssh to go to background just before command execution. This implies -n. The recommended way to start X11 programs at a remote site is ssh -f host xterm.
-g Allows remote hosts to control local forwarded ports.
-k Disables forwarding of Kerberos tickets and AFS tokens. This may also be specified on a per-host basis in a configuration file.
-n Redirects stdin from /dev/null.
-q Quiet mode. Causes warning and diagnostic messages to be suppressed.
-t Forces pseudo-tty allocation. Useful for executing arbitrary screen-based programs on a remote machine.
-T Disables pseudo-tty allocation (SSH2 only).
-v Verbose mode. Causes debugging messages to be printed.
-x Disables X11 forwarding.
-X Enables X11 forwarding. This can also be specified on a per-host basis in a configuration file.
-C Requests compression of all data.
-N Does not execute a remote command. Useful for just forwarding ports. SSH2 only.
-P Uses a nonprivileged port for outgoing connections. Useful if your firewall does not permit connections from privileged ports. Turns off RhostsAuthentication and RhostsRSAAuthentication.
-L <port> : <host> : <hostport> Specifies that the given port on the client (local) host is to be forwarded to the given host and port on the remote side.
-R <port>:<host>: <hostport> Specifies that the given port on the remote (server) host is to be forwarded to the given host and port on the local side.
-2 Forces SSH2 protocol.
-4 Forces ssh to use IPv4 addresses only.
-6 Forces ssh to use Ipv6 addresses only.
-c blowfish|3des Selects the cipher to use for the session. 3des is the default.
-c 3des-cbc,blowfish-arc, a r cfour,cast128-cbc For SSH2, a comma-separated list of ciphers can be specified in order of preference. SSH2 supports 3DES, Blowfish, CAST128 in CBC mode and Arcfour mode.
-e ch|^ch|none Sets escape character for sessions with a pty (default: ~). The escape character is only recognized at the beginning of a line. Followed by a . closes the connection; followed by ^Z suspends the connection; followed by itself sends the escape character once. Setting it to none disables any escapes and makes the session fully transparent.
-i <identity_file> Specifies the file from which the identity (private key) for RSA authentication is read. Default is $HOME/.ssh/identity
-l <login_name> Specifies the user to log in as on the remote machine. This may also be specified on a per-host basis in a configuration file.
-o <option> Can be used for giving options in the format used in the configuration file. Useful for specifying options that have no separate command-line flag. Option has the same format as a line in the configuration file.
-p <port> Specifies the port to connect to on the remote host. This can be specified on a per-host basis in the configuration file.

scp, sftp, and Others

In addition to the slogin program, the Secure Shell suite of programs provides additional data encryption and protection functions to the user. There are components that function analogously to the cp command that you learned about in the previous chapter (scp), and to the ftp command that you learned about earlier in this one (sftp).

The scp command can copy a file either from, or to, a Secure Shell remote host. The syntax, like cp, is scp <from> <to> . Either <from> or <to> can be specified as a remote machine and file, in the syntax of [ <use r name> @] <remotemachine> : <pathtofile> . For example, the following command copies ~ray/public_html/my_bookmarks.html from the machine soyokaze (soyokaze is a host alias to soyokaze.biosci.ohio-state.edu on this machine) to a file by the same name in the local folder ~/Documents/.

[localhost:~] nermal% scp ray@soyokaze:public_html/my_bookmarks.html ~/Documents/

     The authenticity of host 'soyokaze' can't be established.
     RSA key fingerprint is 95:2f:55:91:57:4b:42:ad:63:fb:62:ce:b1:33:ba:eb.
     Are you sure you want to continue connecting (yes/no)? yes
     Warning: Permanently added 'soyokaze.biosci.ohio-state.edu,140.254.12.137'
                          (RSA) to the list of known hosts.
     ray@soyokaze.biosci.ohio-state.edu's password:
     warning: Executing scp1 compatibility.
     my_bookmarks.html    100% |***************************|   271 KB    00:01

The complaints regarding the host key aren't something to be concerned about—they simply mean that this host hasn't been accessed yet, and isn't a known host yet.

Likewise, the following copies the file myfile from the current directory to the directory /tmp, and names it yourfile on the remote machine soyokaze, again logging in using the user ID ray.

[localhost:~] nermal% scp ./myfile

     ray@soyokaze:/tmp/yourfile
     ray@soyokaze's password:
     warning: Executing scp1 compatibility.
     myfile               100% |*************************|     0       --:-- ETA

Note that scp doesn't make complaints about the host key the second time because it's already accepted and stored it.

The command documentation table for scp is shown in Table 15.5.

Table 15.5. The Command Documentation Table for scp

scp Secure remote copy 
scp [-pqrvC46] [-S <program>] [-P <port>] [-c <cipher>] [-i
<identity_file>] [-o <option>] [[<user>@]<host1>:]<file1> [...]
[[<user>@]<host2>:]<file2>
-p Preserves modification times, access times, and modes from the original file.
-q Disables the progress meter.
-r Recursively copies entire directories.
-v Verbose mode. Causes scp and ssh to print debugging messages.
-C Enables compression. Passes the flag to ssh(1) to enable compression.
-4 Forces scp to use IPv4 addresses only.
-6 Forces scp to use IPv6 addresses only.
-S <program> Specifies <program> to use for the encrypted connection. Program must understand ssh(1) options.
-P <port> Specifies the port to connect to on the remote host.
-c <cipher> Selects the cipher to use for encrypting the data transfer. Option is passed directly to ssh(1).
-i <identity_file> Specifies the file from which the identity (private key) for RSA authentication is read.
-o <option> Passes specified option to ssh(1) .

Apple currently isn't distributing an sftp client as part of the OS X secure shell package, even though it is distributing an sftpd daemon with which you can allow other machines to connect to your OS X box. We've detailed using sftp to talk to your OS X box from another Unix box in Chapter 26. If Apple should start to distribute an sftp client for OS X, those instructions should be applicable to using sftp from your OS X box to elsewhere as well.

Share ThisShare This

Informit Network